diff mbox series

[resend,RFC,2/9] s390/gmap: don't unconditionally call pte_unmap_unlock() in __gmap_zap()

Message ID 20210909162248.14969-3-david@redhat.com (mailing list archive)
State New, archived
Headers show
Series s390: fixes, cleanups and optimizations for page table walkers | expand

Commit Message

David Hildenbrand Sept. 9, 2021, 4:22 p.m. UTC
... otherwise we will try unlocking a spinlock that was never locked via a
garbage pointer.

At the time we reach this code path, we usually successfully looked up
a PGSTE already; however, evil user space could have manipulated the VMA
layout in the meantime and triggered removal of the page table.

Fixes: 1e133ab296f3 ("s390/mm: split arch/s390/mm/pgtable.c")
Signed-off-by: David Hildenbrand <david@redhat.com>
---
 arch/s390/mm/gmap.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

Comments

Claudio Imbrenda Sept. 14, 2021, 4:52 p.m. UTC | #1
On Thu,  9 Sep 2021 18:22:41 +0200
David Hildenbrand <david@redhat.com> wrote:

> ... otherwise we will try unlocking a spinlock that was never locked via a
> garbage pointer.
> 
> At the time we reach this code path, we usually successfully looked up
> a PGSTE already; however, evil user space could have manipulated the VMA
> layout in the meantime and triggered removal of the page table.
> 
> Fixes: 1e133ab296f3 ("s390/mm: split arch/s390/mm/pgtable.c")
> Signed-off-by: David Hildenbrand <david@redhat.com>

Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>

> ---
>  arch/s390/mm/gmap.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/arch/s390/mm/gmap.c b/arch/s390/mm/gmap.c
> index b6b56cd4ca64..9023bf3ced89 100644
> --- a/arch/s390/mm/gmap.c
> +++ b/arch/s390/mm/gmap.c
> @@ -690,9 +690,10 @@ void __gmap_zap(struct gmap *gmap, unsigned long gaddr)
>  
>  		/* Get pointer to the page table entry */
>  		ptep = get_locked_pte(gmap->mm, vmaddr, &ptl);
> -		if (likely(ptep))
> +		if (likely(ptep)) {
>  			ptep_zap_unused(gmap->mm, vmaddr, ptep, 0);
> -		pte_unmap_unlock(ptep, ptl);
> +			pte_unmap_unlock(ptep, ptl);
> +		}
>  	}
>  }
>  EXPORT_SYMBOL_GPL(__gmap_zap);
diff mbox series

Patch

diff --git a/arch/s390/mm/gmap.c b/arch/s390/mm/gmap.c
index b6b56cd4ca64..9023bf3ced89 100644
--- a/arch/s390/mm/gmap.c
+++ b/arch/s390/mm/gmap.c
@@ -690,9 +690,10 @@  void __gmap_zap(struct gmap *gmap, unsigned long gaddr)
 
 		/* Get pointer to the page table entry */
 		ptep = get_locked_pte(gmap->mm, vmaddr, &ptl);
-		if (likely(ptep))
+		if (likely(ptep)) {
 			ptep_zap_unused(gmap->mm, vmaddr, ptep, 0);
-		pte_unmap_unlock(ptep, ptl);
+			pte_unmap_unlock(ptep, ptl);
+		}
 	}
 }
 EXPORT_SYMBOL_GPL(__gmap_zap);